Best practices guide a wireless deployment at BYU-Hawaii, meaning no trouble in paradise.

Considering their previous experiences with Cisco’s product, the evaluation ultimately came down to Avenda and Impulse. In the end, Avenda proved to be feature rich with very competitive technical add-on value and aggressive pricing. It was also the easiest company to work with, which is a big deal since our IT team consists of only three IT people to support the entire network and nearly 3,000 users.

Avenda was the only solution we found to natively support 802.1X wireless, wired, and VPN for authentication and authorization. We selected the Quick1X product to help us streamline the configuration of 802.1X variables on the user’s devices, believing that the ability to automate this process would make 802.1X transparent for the end users and cut down on help desk calls. It was also an important best practice to select components that simplified the creation of policies, accelerated the deployment process, and provided critical reporting, visibility and trouble-shooting tools.

It is important to note than many vendors tell us that in order to make their products work, we have to change how we operate. Many vendors expected us to manually recreate much of our users’ information, and wouldn’t allow us to leverage group and user attributes already configured in Active Directory databases. The ability for the solutions selected to integrate with a myriad of data sources, such as Active Directory, allowed us to deploy security in a fashion that best suits our environment, instead of being forced to change the way we do business.

As a result of this upgrade, the IT team quickly began controlling and differentiating access to the network and determining what users were doing once on the network. Our main goals have been achieved, and now we have the network access visibility that we didn’t have before. Collecting user information and details about network usage and performance of the campus wireless network now takes only minutes.

The improved visibility from the authentication platform has allowed us to pinpoint configuration issues in the wireless access devices. As a bonus, the new solution has been much better received by users because there are fewer network connection issues – and in IT no news is good news. For example, users don’t have to re-authenticate when roaming from one part of the campus to another like in the past, which saves time and reduces stress on the students and faculty.

Because the system has works so well on the wireless side, the IT team can start looking at deploying network security for other network access methods. Looking to the future, BYU–Hawaii envisions turning on 802.1X authentication across the campus for its wired network, as well. Another future goal is to enable the system’s comprehensive NAC health check enforcement capabilities. For example, the IT team would be able to allow access to the network for only those devices with up-to-date virus, spyware, and firewall protection.

In summary, best practices for deploying 802.1X should start with a well thought out plan that includes, but is not limited to, the following considerations:

- Do your wireless and wired networking devices support 802.1X? - Will you have the ability to use your existing identity stores? - The AAA/NAC platform should support multi-vendor environments - The solution should include a way to easily configure 802.1X variables in a variety of user devices (Windows, Mac OS, Linux) - Creating and testing policies should be easy to use and streamline processes - The AAA/NAC platform should support a variety of user and device authentication methods - Visibility and troubleshooting tools should be included - The AAA/NAC platform should provide guest access management and multiple sponsor roles - Find a vendor that shares in your goals

Mark Aughenbaugh is infrastructure director and John Call is a systems and network analyst at BYU–Hawaii.